Emailing a Forgotten Password

[KDesigns]

Hey everybody,

I've scripted a User Authentication system for a client and everything works great so far. He wants to add a "forgot password" feature that his visitors can use if they forget their password.

I've got the MySQL database setup and a table for their email address.

What I need to do is simply create a form that someone will put their email address into and submit it. When they submit the form, I need to query the database and shoot the email address entered a message that includes the password associated with that email.

What's the easiest and quickest way to do this???

Your help... as always ... is appreciated!!

[KLB]

Given the fact that so many users use the same password for everything, it isn't wise to email the password so to speak, besides which it should be stored in the database as a MD5 hash or some equivalent.

The method I use on my sites is to have a special field in the table that will store a temporary string. When someone asks for their password to be recovered a random key is generated and stuck into this spare field. Then an email is sent to them with the special key embedded into a URL in the message. By clicking on the URL the site will recognize them and allow them to reset their password to whatever they want.

Whether you use a more secure method or simply pass a plain text password, you can simply use PHP's built in mail function. Of course the password/special key should only be emailed to the email account that is stored along with the user's profile in the database.

[boccio]

What I need to do is simply create a form that someone will put their email address into and submit it. When they submit the form, I need to query the database and shoot the email address entered a message that includes the password associated with that email.

I have to agree with KLB - it's better to use more secure method, hence to keep pwds in db encrypted...but if u want to stick to scenario you explained, make one change: dont ask for e-mail address in form! aks for user name, and send pwd to e-mail address associated to user name during registration...
If u ask for e-mail address, and wrong one is entered, what happens? You display error msg? That way you politely inform attacker he entered wrong address and give him opportunity to try again...
One more thing - when user requests pwd, temporarily 'flag' his account so he cannot ask for it over and over again...

stay good

[KDesigns]

Okay...

I do have the passwords stored in the database encrypted. This means I won't even be able to email them the password huh? How can I go about setting it up like you mentioned KLB??

Thanks in advance!!!

[brainpipe]

One more thing - when user requests pwd, temporarily 'flag' his account so he cannot ask for it over and over again...

This is a good idea, but be careful how you use it. The last thing you want to do is anger a valid user simply because she's having trouble remembering her password.

The method I use on my sites is to have a special field in the table that will store a temporary string. When someone asks for their password to be recovered a random key is generated and stuck into this spare field. Then an email is sent to them with the special key embedded into a URL in the message. By clicking on the URL the site will recognize them and allow them to reset their password to whatever they want.

I definitely agree with this. Don't email the original password, and when a "forgot password" request is made, reset the original immediately and email the owner with a notification of the event and a means to (a) get back in to the system and set a new password, and (b) contact you if for some reason they can't get back in.

Lastly, if you're not using SSL, none of this matters much.

[KLB]

For security purposes, I can't devulge my source code, however, I can give you gist of how your code should work.

1) User clicks on a "Forgot Password" link

2) Browser asks for username

3) Upon form submission of username, server side script will filter user table for the record matching submitted username.

4) Create a random hash (here's an example):

Code:

	$resetstring= substr (crypt(microtime()),12);
	$strSalt= substr (crypt($email),12,9);
	$resetstring=substr (crypt($resetstring,$strSalt),0)."r";

The goal is to create a really short URL to prevent line wrap problems in the email messsage, and the code above will create a reasonably short key.

5) Write unique key to special password reset field of account in question

6) Send email message to user with a url simular to this: http://mydomain.com/pr/<? echo $resetstring; ?>

7) when user clicks on link the following .htaccess entry will redirect the user to the correct spot:
RewriteRule ^pr/(.*) /recover.html?recover=$1

8) On this page there will be a form that contains the recovery key as a hidden value and asks for a new password and to repeat new password.

9) Upon submission of this form, the record containing this recovery key will be updated with the new password and the recovery key deleted. Eliminating recovery keys after the password has been reset, eliminates this back door and reduces the risk (however small) of there being duplicate recovery keys in the database.

10) User logs in using new password.

Expect the entire process to take you at least a couple hundred lines of code.

[Toly]

If u ask for e-mail address, and wrong one is entered, what happens? You display error msg? That way you politely inform attacker he entered wrong address and give him opportunity to try again...

In that case there should be two forms, one asking for the email and another one for the username. Sometimes a user might forget his/her username too.

[KLB]

My solution is to simply use their email address as their username. It does punish those with long email addresses, but it is one thing they typically won't forget. I don't feel it really lowers the security of an account as stuff will only be sent to that email address, which will make it hard to intercept the password resets.

[boccio]

In that case there should be two forms, one asking for the email and another one for the username. Sometimes a user might forget his/her username too.

Well, you have the point there, but following that paradigm, one might forget it all! username, pwd, e-mail address...Our priority as coders is to make process of recovering forgotten passwords user-friendly, however only to the level which doesn't compromise security.
I'd rather have some user pis**d off cuz he has to open new account or contact website stuff because he forgot both username and e-mail address, then to compromize passwords od 99% of registered users...



@KLB: nicely done, indeed...just one q: why "masking" url of password retrival page with mod_rewrite? random number is long enough to prevent brute force, or maybe I miss somethind?